Extracted

• • Target

    JaffaCakes118_8d496d4cd90fc4f686e2fe25a2a12e29

  • Size

    14.7MB

  • MD5

    8d496d4cd90fc4f686e2fe25a2a12e29

  • SHA1

    af7136255b04e8062ae6d91315d25db19b817339

  • SHA256

    2beb5b451168718338d33ee3110dc770a0a3886f9fc72c636411a117c6fbd196

  • SHA512

    80b3981ac60e97c01835259dbcc79a20b3559baabeb134c3b5e32bd5f6f4eb6659473886fb30f0358e3d32def0e3ac4aaa7ba8a5a94733c53be3f2b6e3625523

  • SSDEEP

    1536:TVZK1I9rn2BHELrWh9iuDdJm7CyY8rhGDNDxTWNdUhUFIq:XK1Mn2BHsrt4mYnrMdUh

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2